Yahoo to pay $117.5M in latest settlement of massive breach

Nearly 200 million people who had sensitive information snatched from their Yahoo accounts will receive two years of free credit-monitoring services and other potential restitution in a legal settlement valued at $117.5 million.

Continue Reading Below

The deal revises an earlier agreement struck last October, only to be rejected by U.S. District Court Judge Lucy Koh in San Jose, California. The value of that settlement had been pegged at $50 million, but Koh questioned the calculations.

A more detailed breakdown used in the revised settlement drove up the estimated cost. The money will be paid by Yahoo's current owner, Verizon, and Altaba, a holdover from Yahoo's past that still owns a stake in Chinese internet company Alibaba Group worth billions of dollars.

If approved, the settlement will become part of the financial fallout from digital burglaries that stole personal information from about 3 billion Yahoo accounts in 2013 and 2014 — believed to be the biggest data breach ever.

And now the $117.5 million settlement could become largest amount ever doled out for a data breach, a recurring problem in an increasingly digitally driven world. It eclipses a $115 million settlement that Koh approved last year to cover 79 million people who had personal information stolen in a 2015 breach at health insurer Anthem Inc.

Yahoo didn't begin to disclose the extent of its security breakdown until 2016 amid an FBI investigation that eventually linked some of the hacking to Russia . The revelations brought a mortifying end to the reign of Yahoo CEO Marissa Mayer, eventually prompting the company to reduce its selling price to Verizon by $350 million.

Verizon has since written off much of the nearly $4.5 billion price for the Yahoo acquisition in sign of the eroding value of that business.

Lawyers representing the Yahoo accountholders estimate about 194 million people in U.S. and Israel will be eligible to make claims, according to court documents. Those people collectively may have had about 896 million of the Yahoo accounts hit in the break-ins.

The biggest piece of the revised Yahoo settlement disclosed in documents filed Tuesday consists of the free credit-monitoring services that will be offered to everyone covered by the deal to protect them from identity theft and other potential problems. The service from AllClear usually costs $14.95 per month, or $359 for two years. People who already have a credit-monitoring service will be eligible for cash payments instead.

Yahoo accountholders who paid anywhere for $20 to $50 annually for premium email accounts will be eligible for refunds of up to 25%. People who had to spend time protecting their identities or dealing with other issues caused by the breach can be seek to be paid at a rate of $25 per hour for up to 15 hours.

The settlement will also pay up to $32.5 million in fees and other expenses to the lawyers representing Yahoo accountholders, down from the $37.5 million sought in the earlier agreement — another sticking point for Koh.

As part of the deal, Verizon also has pledged to continue to expand upon the security that it has already added since taking over Yahoo. The Verizon division that includes Yahoo expects to spend an average of about $81 million annually on security from 2018 to 2022, up from average of about $15 million annually from 2013 to 2016 when Yahoo was still independent, according to court documents.

"We believe that the settlement demonstrates our strong commitment to security," Verizon said in a statement. John Yanchunis, a lawyer representing Yahoo accountholders, declined to comment.